releasetools: Use delta_generator to verify payload signatures. (750385e4) · Commits · e / os / android_build

Commit 750385e4 authored Dec 15, 2017 by Tao Bao

releasetools: Use delta_generator to verify payload signatures.

We used to take a hard approach by parsing the payload with Python
script. This can be done by calling deleta_generator directly, which
also avoids the dependency on protobuf.

- Passing case
$ ./build/make/tools/releasetools/check_ota_package_signature.py \
    build/target/product/security/testkey.x509.pem \
    out/dist/aosp_marlin-ota-eng.zip

Package: out/dist/aosp_marlin-ota-eng.zip
Certificate: build/target/product/security/testkey.x509.pem
  ...
Whole package signature VERIFIED

Verifying A/B OTA payload signatures...
[1215/122842:INFO:generate_delta_main.cc(171)] Verifying signed payload.
[1215/122845:INFO:payload_verifier.cc(93)] signature blob size = 264
[1215/122845:INFO:payload_verifier.cc(112)] Verified correct signature 1 out of 1 signatures.
[1215/122845:INFO:payload_verifier.cc(93)] signature blob size = 264
[1215/122845:INFO:payload_verifier.cc(112)] Verified correct signature 1 out of 1 signatures.
[1215/122845:INFO:generate_delta_main.cc(181)] Done verifying signed payload.

Payload signatures VERIFIED

$ echo $?
0

- Failing case
Sign the whole package file with a different key, but leaving payload entries intact.

$ ./build/make/tools/releasetools/check_ota_package_signature.py \
    testkey2.x509.pem \
    marlin-ota-mismatching.zip
Package: marlin-ota-mismatching.zip
Certificate: testkey2.x509.pem
  ...
Whole package signature VERIFIED

Verifying A/B OTA payload signatures...
[1215/123054:INFO:generate_delta_main.cc(171)] Verifying signed payload.
[1215/123056:INFO:payload_verifier.cc(93)] signature blob size = 264
[1215/123056:ERROR:payload_verifier.cc(118)] None of the 1 signatures is correct. Expected:
[1215/123056:INFO:utils.cc(444)] Logging array of length: 256
[1215/123056:INFO:utils.cc(461)] 0x00000000 : 00 01 ff ff ff ff ff ff ff ff ff ff ff ff ff ff
  ...
[1215/123056:ERROR:payload_verifier.cc(121)] But found decrypted hashes:
[1215/123056:INFO:utils.cc(444)] Logging array of length: 256
[1215/123056:INFO:utils.cc(461)] 0x00000000 : 52 68 78 36 f6 9e cd 2d 5e 9f 31 d5 26 03 c9 aa
  ...
[1215/123056:ERROR:payload_signer.cc(333)] PayloadVerifier::VerifySignature( signature_blob, public_key_path, payload_hash) failed.
[1215/123056:INFO:generate_delta_main.cc(177)] VerifySignedPayload failed

    ERROR: Failed to verify payload with delta_generator: marlin-ota-mismatching.zip

$ echo $?
1

Bug: 65261072
Test: See above.
Change-Id: Id2e065655ec49b80dd2b13c6a859f41913be055b

parent 23f7ea9e

Hide whitespace changes

Inline Side-by-side

Please register or to comment